elastic · szwarckonrad · Jan 20, 2026 · Jan 15, 2026 · Jan 15, 2026 · Jan 16, 2026
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import type { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const fleetAndAgents = getService('fleetAndAgents');
+  const kibanaServer = getService('kibanaServer');
+  const fleetApiVersion = '2023-10-31';
+  const osqueryInternalApiVersion = '1';
+
+  const getAssetsStatus = () =>
+    supertest
+      .get('/internal/osquery/assets')
+      .set('kbn-xsrf', 'true')
+      .set('elastic-api-version', osqueryInternalApiVersion);
+
+  const updateAssetsStatus = () =>
+    supertest
+      .post('/internal/osquery/assets/update')
+      .set('kbn-xsrf', 'true')
+      .set('elastic-api-version', osqueryInternalApiVersion);
+
+  describe('Assets', () => {
+    let osqueryPackageVersion: string | undefined;
+
+    before(async () => {
+      await kibanaServer.savedObjects.cleanStandardList();
+      await fleetAndAgents.setup();
+
+      const { body: osqueryPackageResponse } = await supertest
+        .get('/api/fleet/epm/packages/osquery_manager')
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+        .set('x-elastic-internal-product', 'security-solution');
+
+      osqueryPackageVersion = osqueryPackageResponse.item?.version;
+
+      if (osqueryPackageVersion) {
+        await supertest
+          .post(`/api/fleet/epm/packages/osquery_manager/${osqueryPackageVersion}`)
+          .set('kbn-xsrf', 'true')
+          .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+          .send({ force: true })
+          .expect(200);
+      }
+    });
+
+    after(async () => {
+      if (osqueryPackageVersion) {
+        await supertest
+          .delete(`/api/fleet/epm/packages/osquery_manager/${osqueryPackageVersion}`)
+          .set('kbn-xsrf', 'true')
+          .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion);
+      }
+
+      await kibanaServer.savedObjects.cleanStandardList();
+    });
+
+    it('returns prebuilt pack assets status with install, update, and upToDate arrays', async () => {
+      const response = await getAssetsStatus();
+
+      expect(response.status).to.be(200);
+      expect(response.body).to.have.property('install');
+      expect(response.body).to.have.property('update');
+      expect(response.body).to.have.property('upToDate');
+      expect(response.body.install).to.be.an('array');
+      expect(response.body.update).to.be.an('array');
+      expect(response.body.upToDate).to.be.an('array');
+    });
+
+    it('installs prebuilt pack assets and returns updated status', async () => {
+      const updateResponse = await updateAssetsStatus();
+
+      expect(updateResponse.status).to.be(200);
+      expect(updateResponse.body).to.have.property('install');
+      expect(updateResponse.body).to.have.property('update');
+      expect(updateResponse.body).to.have.property('upToDate');
+
+      const statusAfterUpdate = await getAssetsStatus();
+      expect(statusAfterUpdate.status).to.be(200);
+
+      const totalAssets =
+        statusAfterUpdate.body.install.length +
+        statusAfterUpdate.body.update.length +
+        statusAfterUpdate.body.upToDate.length;
+      expect(totalAssets).to.be.greaterThan(0);
+    });
+  });
+}
@@ -0,0 +1,172 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import type { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const fleetAndAgents = getService('fleetAndAgents');
+  const kibanaServer = getService('kibanaServer');
+  const fleetApiVersion = '2023-10-31';
+  const osqueryInternalApiVersion = '1';
+
+  const getWithInternalHeaders = (path: string) =>
+    supertest
+      .get(path)
+      .set('kbn-xsrf', 'true')
+      .set('elastic-api-version', osqueryInternalApiVersion);
+
+  const postWithInternalHeaders = (path: string) =>
+    supertest
+      .post(path)
+      .set('kbn-xsrf', 'true')
+      .set('elastic-api-version', osqueryInternalApiVersion);
+
+  describe('Fleet wrapper', () => {
+    let agentPolicyId: string;
+    let agentId: string;
+    let packagePolicyId: string | undefined;
+
+    before(async () => {
+      await kibanaServer.savedObjects.cleanStandardList();
+      await fleetAndAgents.setup();
+
+      const { body: agentPolicyResponse } = await supertest
+        .post('/api/fleet/agent_policies')
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+        .send({
+          name: `Osquery policy ${Date.now()}`,
+          namespace: 'default',
+        });
+
+      agentPolicyId = agentPolicyResponse.item.id;
+      agentId = `osquery-agent-${Date.now()}`;
+
+      const { body: osqueryPackageResponse } = await supertest
+        .get('/api/fleet/epm/packages/osquery_manager')
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+        .set('x-elastic-internal-product', 'security-solution');
+
+      const { body: packagePolicyResponse } = await supertest
+        .post('/api/fleet/package_policies')
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+        .send({
+          policy_id: agentPolicyId,
+          package: {
+            name: 'osquery_manager',
+            version: osqueryPackageResponse.item?.version,
+          },
+          name: `Osquery policy ${Date.now()}`,
+          description: '',
+          namespace: 'default',
+          inputs: {
+            'osquery_manager-osquery': {
+              enabled: true,
+              streams: {},
+            },
+          },
+        });
+
+      packagePolicyId = packagePolicyResponse.item?.id;
+
+      await fleetAndAgents.generateAgent('online', agentId, agentPolicyId);
+    });
+
+    after(async () => {
+      if (agentPolicyId) {
+        await supertest
+          .post('/api/fleet/agent_policies/delete')
+          .set('kbn-xsrf', 'true')
+          .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+          .send({ agentPolicyId });
+      }
+
+      if (packagePolicyId) {
+        await supertest
+          .post('/api/fleet/package_policies/delete')
+          .set('kbn-xsrf', 'true')
+          .set(ELASTIC_HTTP_VERSION_HEADER, fleetApiVersion)
+          .send({ packagePolicyIds: [packagePolicyId] });
+      }
+
+      await kibanaServer.savedObjects.cleanStandardList();
+    });
+
+    it('lists agents', async () => {
+      const response = await getWithInternalHeaders(
+        '/internal/osquery/fleet_wrapper/agents?page=1&perPage=20&showInactive=false&kuery='
+      );
+
+      expect(response.status).to.be(200);
+      expect(response.body.total).to.be.greaterThan(0);
+      expect(response.body).to.have.property('agents');
+      expect(response.body).to.have.property('groups');
+    });
+
+    it('returns bulk agent details', async () => {
+      const response = await postWithInternalHeaders(
+        '/internal/osquery/fleet_wrapper/agents/_bulk'
+      ).send({
+        agentIds: [agentId],
+      });
+
+      expect(response.status).to.be(200);
+      expect(response.body.agents.some((agent: { id: string }) => agent.id === agentId)).to.be(
+        true
+      );
+    });
+
+    it('lists agent policies', async () => {
+      const response = await getWithInternalHeaders(
+        '/internal/osquery/fleet_wrapper/agent_policies'
+      );
+
+      expect(response.status).to.be(200);
+      expect(response.body).to.be.an('array');
+    });
+
+    it('reads an agent policy', async () => {
+      const response = await getWithInternalHeaders(
+        `/internal/osquery/fleet_wrapper/agent_policies/${agentPolicyId}`
+      );
+
+      expect(response.status).to.be(200);
+      expect(response.body.item.id).to.be(agentPolicyId);
+    });
+
+    it('returns agent status for policy', async () => {
+      const response = await getWithInternalHeaders(
+        `/internal/osquery/fleet_wrapper/agent_status?policyId=${agentPolicyId}`
+      );
+
+      expect(response.status).to.be(200);
+    });
+
+    it('lists package policies', async () => {
+      const response = await getWithInternalHeaders(
+        '/internal/osquery/fleet_wrapper/package_policies'
+      );
+
+      expect(response.status).to.be(200);
+      expect(response.body).to.have.property('items');
+    });
+
+    it('returns agent details', async () => {
+      const response = await getWithInternalHeaders(
+        `/internal/osquery/fleet_wrapper/agents/${agentId}`
+      );
+
+      expect(response.status).to.be(200);
+      expect(response.body.item.id).to.be(agentId);
+    });
+  });
+}
@@ -10,5 +10,11 @@ import type { FtrProviderContext } from '../../ftr_provider_context';
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('Osquery Endpoints', () => {
     loadTestFile(require.resolve('./packs'));
+    loadTestFile(require.resolve('./assets'));
+    loadTestFile(require.resolve('./fleet_wrapper'));
+    loadTestFile(require.resolve('./saved_queries'));
+    loadTestFile(require.resolve('./privileges_check'));
+    loadTestFile(require.resolve('./status'));
+    loadTestFile(require.resolve('./live_queries'));
   });
 }
@@ -0,0 +1,102 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import type { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const es = getService('es');
+  const osqueryPublicApiVersion = '2023-10-31';
+
+  const actionIndex = '.logs-osquery_manager.actions-default';
+
+  const createActionDoc = async () => {
+    const actionId = `action-${Date.now()}`;
+    const queryActionId = `query-${Date.now()}`;
+
+    await es.index({
+      index: actionIndex,
+      id: actionId,
+      refresh: 'wait_for',
+      document: {
+        action_id: actionId,
+        '@timestamp': new Date().toISOString(),
+        expiration: new Date(Date.now() + 5 * 60 * 1000).toISOString(),
+        agent_selection: { all: true },
+        agents: ['test-agent-1'],
+        user_id: 'elastic',
+        queries: [
+          {
+            action_id: queryActionId,
+            id: 'query-1',
+            query: 'select 1;',
+            agents: ['test-agent-1'],
+          },
+        ],
+      },
+    });
+
+    return { actionId, queryActionId };
+  };
+
+  const deleteActionDoc = async (actionId: string) => {
+    await es.deleteByQuery({
+      index: actionIndex,
+      allow_no_indices: true,
+      ignore_unavailable: true,
+      refresh: true,
+      query: {
+        term: {
+          action_id: actionId,
+        },
+      },
+    });
+  };
+
+  describe('Live queries', () => {
+    let actionId: string;
+    let queryActionId: string;
+
+    before(async () => {
+      const created = await createActionDoc();
+      actionId = created.actionId;
+      queryActionId = created.queryActionId;
+    });
+
+    after(async () => {
+      if (actionId) {
+        await deleteActionDoc(actionId);
+      }
+    });
+
+    it('fetches live query details by action id', async () => {
+      const detailsResponse = await supertest
+        .get(`/api/osquery/live_queries/${actionId}`)
+        .set('kbn-xsrf', 'true')
+        .set('elastic-api-version', osqueryPublicApiVersion);
+
+      expect(detailsResponse.status).to.be(200);
+      expect(detailsResponse.body.data.action_id).to.be(actionId);
+      expect(detailsResponse.body.data).to.have.property('queries');
+      expect(detailsResponse.body.data.queries).to.be.an('array');
+      expect(detailsResponse.body.data.queries[0].action_id).to.be(queryActionId);
+    });
+
+    it('fetches live query results for specific query', async () => {
+      const resultsResponse = await supertest
+        .get(`/api/osquery/live_queries/${actionId}/results/${queryActionId}`)
+        .set('kbn-xsrf', 'true')
+        .set('elastic-api-version', osqueryPublicApiVersion);
+
+      expect(resultsResponse.status).to.be(200);
+      expect(resultsResponse.body).to.have.property('data');
+      expect(resultsResponse.body.data).to.have.property('edges');
+      expect(resultsResponse.body.data).to.have.property('total');
+    });
+  });
+}